Unfortunately, this is all a bit much for most people and overwhelm kicks in, resulting in simplistic passwords that rarely get updated.

What’s all the fuss about? Who’s gonna guess my password?

Before we go any further, we must stress the importance of password strength and how you maybe feel that you’re not a target.

You are a target. Every. Single. Day.

Not because you are you, but simply by the fact that you exist.

Automated bots that brute force or crack your passwords don’t care about you, they only care about gaining access. They’re built on the sound premise that the majority of users employ weak passwords.

Your dog’s name isn’t unique. Nor is your date of birth. Your maiden name isn’t special, and your son’s middle name has been chosen by many other people before you and since.

Please, if you get nothing else from this article, and without meaning to strike baseless fear into you, understand that you are a target, and your passwords matter.

You’re Only As Strong As Your Weakest Link

You’ve heard that one before, I’m sure. And for good reason.

You can secure your WordPress site, keep it up-to-date, apply patches, run scans, use CloudFlare and employ all manner of security protocols, but if your administrator passwords are weak, none of it matters.

This not only applies to you, but for every administrator on your site.

And if you’re using shared web hosting, it applies to every administrator on every site that’s sharing the web hosting.

What Is Your Current Password Policy?

Password Complacency is not a great security policy. It will come back to bite you.

This isn’t just about how strong your passwords are, it’s about every user with any access privileges on your sites and resources.

Unfortunately WordPress has no built-in way to enforce password policies.

Does Your Lack Of A Password Policy Align You With The GDPR? No.

Firstly, if you’ve never heard of GDPR, and you don’t know what it is, start here.

The GDPR is a scary word for many people at the moment. But it’s all about enforcing sound security practices alongside robust privacy safeguards.

…implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk…

We’re currently reviewing our policies and guidelines to ensure we’re compliant with GDPR rules. Part of this is the automated enforcement of password policies across all our WordPress websites and services.

With the Shield Security Password Policies in-place, we can now point to “appropriate measures”. These policies help ensure a high degree of security for user access control.

You’re not in Europe, so GDPR doesn’t apply to you? Not so.

If you or your customers do business with parties in Europe, or with parties that do business in Europe, you (and your customers) may be subject to GDPR compliance.

How so?

No organisation can itself be GDPR compliant, and at the same time have business operations that involve exchange of sensitive data with any other organisation that is not GDPR compliant.

Just to be clear, Shield Security does not “make” you GDPR compliant. But employing appropriate security measures to protect sensitive data plays a role in getting you there.

WordPress Password Policies Available With Shield Security

With the latest release (v6.6) of Shield Security, we’re providing several important password policy rules.

Passwords are checked at 4 key areas:

Account Registration

Forgotten Password Reset

Profile Update

Account Login (only applies when the option “Apply To Existing Passwords” is turned on. See below)

Password Strength

Strength labels range from Very Weak -> Very Strong. These labels don’t align exactly with the WordPress password strength meter, so you may see conflicting results when you use this. But if you ever use the default password that WordPress provides when you reset your password, you’ll easily pass on both strength tests.

Of course, “strength” of a password is determined by many factors, and length is only one of those. It all comes down to “how long would it take for someone to crack my password”.

Apply To Existing Passwords

This lets you retrospectively apply your password policies to users and their existing passwords. When a password is found that doesn’t meet your minimum requirements, it’ll force the user to change their password before allowing any other actions.

Note: it can only test the strength of a password after the user next logs in successfully.

Password Expiration

This will force any user to change their password after the expiration period (days). The counter for expiration starts from the next time the user logs in.